How to prevent against Phishing Attacks

“Phishing” is the sending of emails which purport to be from someone other than the sender, in an attempt to get you to give up sensitive information such as username/password combinations, banking information, SIN numbers, etc.

Some of them are very sophisticated, and they use a number of techniques to try to fool you, including making linked sites look exactly like the real sites they are spoofing. Here are some ways in which they can be identified.

1: Beware of embedded links in emails.

Before you click the link in an email, even if the email seems to come from a trusted source, hover your cursor over the link. Most browsers will show you the actual URL that the link will send you to. If it doesn’t match, it’s a sign that this might not be genuine.
If you DO click a link before checking, take a look at the URL in the bar at the top of your browser window – this is the actual URL. If you were expecting to be at https://cibc.ca and it reads https://grockle.whereami.de/wpadmin/splat.html, close your browser immediately, even if it *looks* like the CIBC site you’re used to seeing.

2: Beware of unexpected attachments

Any attachments contained in emails may be dangerous, so be careful what you do with them. Normally simply receiving an attachment in an email should not pose a danger, but when you click on it that may initiate unexpected, bad, behaviour. We recommend that you only open attachments which are expected, and from someone you know, but bear in mind that providing a fake From: address is easy to do. If you receive an attachment from someone you don’t know, we would recommend deleting it. If you receive an attachment that seems to come from someone you know, but that is unexpected, send a reply to that person asking if they really sent you the attachment. If you are in any doubt all all, delete the attachment. If it was genuine, then sender should be able to re-send it to you.

3: Understand how URLs and domain names work.

If you do check the URL, you need to understand the way Internet naming works. Domain names are groups of letters and numbers delimited by dots (periods), and the most significant parts are on the right, and the most local parts are on the left.

So: securelogin.scotiabank.ca most likely belongs to Scotia Bank.
But: securelogin.scotiabank.ca.vxl.it is part of the vxl.it domain, and is almost certainly NOT connected to Scotia Bank in any way.

4: The message contains poor spelling and grammar

Reputable companies will normally check for spelling and grammar in emails sent out to the public. It’s fairly common for phishing emails to contain errors – especially since many of them originate in countries where English is not their first language.

5: The message asks for personal information

No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank doesn’t need you to send it your account number – it already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

6: The message seems too vague or generic

When I send out emails to customers I usually try to include some specifics that are known to us, but are unlikely to be known to random scammers – I may include your customer number, and possibly your company name as we have it in our customer database. If an email refers to “Customer” or “Email user”, or even “incentre.net customer” it’s likely to be a scam. The first two indicate that the sender knows nothing about you; the third seems to be more genuine, but that domain was just extracted from your email address.

7: The message makes unrealistic threats

Some phishing attempts use intimidation to pressure the reader into acting quickly and without care. Many of these ask you to “reconfirm” some information which the apparent sender should already know. For example:

Dear incentre.net user:

We are conducting a security audit of our mail accounts. Please follow this link … and reconfirm your email account and password. Failure to do so within three days will result in your account being deleted and all your mail being lost.

It is unlikely that a reputable company would simply delete an account if you fail to respond to a single warning.

8: Something just doesn’t look right

In Las Vegas, casino security teams are taught to look for anything that JDLR—just doesn’t look right, as they call it. The idea is that if something looks off, there’s probably a good reason why. This same principle almost always applies to email messages. If you receive a message that seems suspicious, it’s usually in your best interest to avoid acting on the message.